From Sputnik to Stuxnet, CSIS cyber expert Denise Zheng explores war in the 21st century

Senior fellow and director of the Technology Policy Program at CSIS Denise E. Zheng delivers her speech on "The Future of Cyber Warfare" on Friday, July 21, 2017 in the Amphitheater. PAULA OSPINA / STAFF PHOTOGRAPHER

Iran, 2012: Hackers overload the websites of several major American banks in a large-scale denial-of-service attack, temporarily shutting down online access to users’ bank accounts.

North Korea, 2014: The emails of top Sony executives are leaked and several of the company’s unreleased movies are stolen in retaliation against the Kim Jong Un assassination comedy “The Interview.”

China, 2015: The sensitive personal information of more than 20 million U.S. federal employees is stolen and becomes part of a massive database used for Chinese espionage.

“At one point or another, the media, government officials, random people on Twitter, you name it — they’ve labeled these different attacks ‘cyberwarfare,’ ” said Denise Zheng, senior fellow and director of the Technology Policy Program at the Center for Strategic and International Studies. “But with all due respect, none of these incidents … qualify as acts of war.”

Cyberwarfare, it turns out, can be far deadlier.

Speaking Friday morning in the Amphitheater at the close of Week Four, “Geopolitics Today: A Partnership with CSIS,” Zheng has made a career of studying the new and emerging threats posed by warfare in the age of the internet.

Though currently at CSIS working with “cybersecurity issues, cyber policy, surveillance, electronic surveillance, privacy (and) encryption,” Zheng has held prior positions at the military’s Defense Advanced Research Projects Agency working on “cyberwarfare programs” and at the software company CA Technologies, where she learned about security issues in consumer tech.

But before all that she was a Senate staffer, working to draft “comprehensive cybersecurity legislation to secure our nation’s critical infrastructure against cyberattacks.”

It was only a few months into that job that she saw the scale of that threat in real time.

“News broke of what was probably the most sophisticated and most damaging cyberattack … (and) disclosure of (that) incident launched the world into a global arms race to develop cyberwarfare capabilities; a race between many countries around the world,” Zheng said. “And this was Stuxnet.”

Stuxnet was originally discovered by German engineering conglomerate Siemens as an exploitable software vulnerability in their industrial control systems; experts across the planet tried to figure out what the malware’s target was and how much damage it could do when it got there.

“It was incredibly well written by an expert not only in hacking, but (in) industrial control systems,” Zheng said. “This (wasn’t) your typical hacker.”

Based on serial numbers included in the code, it was deduced that Stuxnet was made to sabotage centrifuges by changing the frequency at which they spun.

Only then did onlookers find the answer to a question that had arisen seven months earlier, when the International Atomic Energy Agency inspected a uranium enrichment plant in Natanz, Iran, and noticed that centrifuges there were “failing at an unprecedented rate.”

“Experts started putting the pieces together and realized that Stuxnet was likely the cause of the failure of the centrifuges in Iran,” Zheng said. “And unlike other malware, Stuxnet … caused a physical effect: the destruction of physical equipment by digital means.”

The Stuxnet incident gave Zheng and her colleagues on Capitol Hill a chance to push for legislation that would require the owners and operators of vulnerable American infrastructure (such as the power grid) to take steps to secure their facilities against cyberthreats.

“The irony was not entirely lost on us,” Zheng said. “If the reporting is correct … (Stuxnet) was likely a U.S.-led operation with assistance from Israel.”

With Stuxnet having proven that “code could be weaponized,” countries around the world rushed to build defenses against a cyberattack and to develop such capacity for their own militaries. The result is a geopolitical landscape where countries are now investing “hundreds of billions of dollars” in cyberwarfare.

Yet the fallout didn’t only take place overseas.

The covert nature of Stuxnet drove a wedge between the Department of Defense, whose actions are held to standards of transparency and accountability, and the intelligence community, which is typically not limited in the same ways.

Experts started putting the pieces together and realized that Stuxnet was likely the cause of the failure of the centrifuges in Iran,” Zheng said. “And unlike other malware, Stuxnet … caused a physical effect: the destruction of physical equipment by digital means.”

“The Stuxnet model is not scalable for cyberwar,” Zheng said.

Thus, if cyber is to become a significant part of American military might, it will require heavy investment and innovation.

That’s where DARPA comes in.

Zheng’s former employer, DARPA, was formed in the Eisenhower years as a response to the Soviet launch of Sputnik. It was tasked with pursuing “revolutionary technology to prevent strategic surprise.” And from the 1970s, when it invented the early internet to facilitate nuclear research, to the modern day, where it is pioneering humanoid robotics and mind-controlled prosthetics, it has pursued those ends.

“DARPA is also tasked with cyberwarfare projects; to solve some of the challenges that I talked about earlier, about resources, about the fact that it’s hard to repeat these types of attacks, about how we don’t have perfect information about the target,” Zheng said.

One project Zheng worked on with the agency was Plan X, a simulated map that makes it easier to visualize what the digital battlespace of cyber conflicts looks like. She hopes it will answer questions like how “devices (are) connected to each other (and) what is the latency of communication between those machines.”

Artificial intelligence can also automate some of the more “tedious, complex” aspects of cyberwarfare, she added.

Because cyberwarfare requires extensive training, yet has trouble competing with the private sector paycheck-wise, she also sees a future in “gamifying” certain aspects of cyberwar so that laypeople can do the work, too.

Of course, DARPA works at the cutting edge of military tech; the current geopolitical landscape is a bit more tame.

“I don’t know how long out that is, but that is the distant reality,” Zheng said.

That said, cyberwarfare “is a real thing” now, already incorporated into military efforts reaching from nuclear system controls to outer space and underwater operations. The era of mass connectivity is also one of mass vulnerability, and military leaders are currently preoccupied with “how to integrate cyber into traditional warfare.”

The borderless, ever-flowing internet is a hard arena to manage, though. And with features like anonymity and physical remoteness baked into its very nature, the tables seem tilted in the favor of aggressors.

“Anonymity makes it really difficult to deter cyberattacks because we don’t have a good way to attribute (them) in a public way,” Zheng said. “And this brings us to the topic of deterrence.”

Without a credible accountability framework for hacking and malware, it is difficult to threaten malicious actors with criminal retribution. The need for prosecutable evidence becomes even more dire when played out on the international stage.

“Most of the methods that we use to attribute cyberattacks are classified … so for example, when the Sony attack happened, our intelligence community came out, the administration came out and said, ‘This is North Korea,’ ” Zheng said. “Well, North Korea denied it. … It gives the adversary, the source of the attacks, some plausible deniability.”

Difficulties in interpreting these attacks, and underdeveloped lines of communications regarding them, opens up the threat of escalation.

Furthermore, the ever-changing nature of networks and software means that militaries will constantly have to “groom” their cyber weapons in order to keep them up to date and usable.

“This is sort of a technical limitation, and so that’s why cyber, presently, is much more attractive as a tool for espionage — to spy, to collect data,” Zheng said.

China, for instance, “does a lot of cyber spying; in fact, it’s probably the most damaging thing in cyberspace right now.” By digitally stealing trade secrets, it advances its own national economy; the industries highlighted in its five-year plans typically correspond well with the sectors of the U.S. economy that tend to get hacked.

Chinese hacking may have been the topic du jour in Zheng’s field for some time, but that changed when Edward Snowden “blew the lid off of secret cyber espionage (and) electronic surveillance programs” domestically.

Now, America and the world at large have become engulfed in debate about digital security, with everything from personal privacy to criminal justice to global trade on the line.

“So cyber isn’t just about warfare in a military context; it’s also about espionage and it’s also about global commerce … (and) we need to think about these different types of activities (as) distinct things,” Zheng said.

Adapting to the world of cyberwar requires change. Governments will need to train and equip a new workforce; nation-states must develop policies for dealing with cyberthreats; institutions as fundamental as the electoral system may have to reckon with unprecedented threats.

Amid all that dynamism, though, there is still a place for the individual to take a stand.

“You as citizens need to hold (these institutions) accountable,” Zheng said. “You need to ask them, ‘What are you doing to protect these systems? What are you doing to uncover the vulnerabilities? What are you doing to ensure that my vote is secure?’ So contact your local officials. Learn more about this. Ask the right questions, and hold them accountable.”

Brian Contreras covers the morning lecture series for the Daily. He is a rising sophomore at Stanford University pursuing a career in journalism. His interests as a writer include political investigation, the human side of technology and cross-cultural ethnographic research. He is also interested in backpacking, science fiction, running, good food and political satire. Contact him at briancontreras42@gmail.com.